System for reliable prevention of the restarting of a machine

ABSTRACT

A safety lock out switch system for the prevention of an unexpected restart of an electrically powered machine in whose main power circuit it is installed. Therein the power-free status of the power supply output of the system is confirmed visually. The system is configured so it is flexible, thus being able to be used in the most various types or sizes of machines. Technical aspects and safety aspects were taken into account therein so that the installation can be carried out in practically every country in the world.

This application is a U.S. National Phase Application under 35 USC 371of International Application PCT/US00/07300 (published in English) filedMar. 17, 2000.

BACKGROUND OF THE INVENTION

The invention relates to a system for the reliable prevention of therestarting of a machine.

For the protection of persons who work on equipment and machines ormaintain them particular measures must be provided. There are variouslegal provisions which lay down the conditions for reliabilityfunctions. Widely disseminated is the use of repair switches which areintended to make individual parts of the machine or equipmentpower-free. However, these show failures even after 20,000 to 50,000switching cycles and thus represent a potential risk.

In the case of production machines of larger dimensions the repairswitches are disposed at points widely separated from one another. Thisleads to additional problems in monitoring since it cannot be insuredthat the component to be maintained is actually free of power. Motionscausing danger must however be ruled out in the machine.

OBJECTS AND SUMMARY OF THE INVENTION

It is the objective of the invention to provide for a system whichreliably prevents the restarting of a machine and which also can be usedin spatially extended equipment.

This objective is realized by a system according to claim 1. Preferredembodiments are subject matter of the subclaims.

These are provided according to the invention, at least one disconnectswitch which is disposed at the site of the machine at which the machinepower is to be switched off, where each disconnect switch issues adisconnect signal to switch off the machine power, a power supply unitconnected between the main switch of the main power circuit and themachine, where the main switch is at the power supply input of the powersupply unit, and its power output is connected to the machine whichmaintains the supply of power to the machine interrupted by means of apower connection apparatus if at least one disconnect switch issues adisconnect signal, where a power monitoring apparatus checks the poweroutput of the power supply unit for a voltage-free status, and the powerconnections apparatus which only permits a restart of the machine whennone of the disconnect switches are issuing a disconnect signal; acontrol unit with a predetermined number of inputs for disconnectswitches, or, if necessary, a collection and distribution unit, eitherof which reports the presence of a disconnect signal at one of itsinputs to the power supply unit and receives the status of the powermonitoring apparatus of the power supply unit and when the power-freestatus is reported issues a verification message to the disconnectswitch which has supplied the disconnect signal; and, in case the numberof disconnect switches is greater than the number of inputs of thecontrol unit, at least one collection and distribution unit which has apredetermined number of inputs for disconnect switches or for anadditional collection and distribution unit where at its output adisconnect signal is issued when a disconnect signal is present at oneor more inputs.

The system according to the invention is used in particular for theprevention of an unexpected restart of the machine in whose main powercircuit it is installed. Therein the power-free status of the powersupply output of the system is verified visually. The system isconfigured so that it is flexible, thus being able to be used in themost various types or sizes of machines. Technical aspects and safetyaspects were taken into account therein so that the installation can becarried out in practically every country in the world.

The system according to the present invention is not intended to switchoff the system under load, it is not intended to be used as an EmergencyOff switch, and it is not intended to be in the position by itself topermit the machine to start up. It is also not intended to replace amain switch. The machine must have its own Start/Stop commands so thatan automatic Start is ruled out if the system according to the inventionshows power at the power supply output. The system described in thisinvention, however, will not allow reclosure of the power connectionapparatus if a fault is detected until the fault is cleared.

It is possible that individual machine components continue to beexcluded from this safety system. This can relate, for example, toheating devices for adhesives and the like whose switching off maydestroy parts of its equipment.

In principle forming the power supply unit and the control unit as anintegrated component could be provided but as a rule they will beseparate components.

The switch-off system of the invention thus comprises four differentmodules:

disconnect switches which offer the possibility to the operators ofsafely switching off the electrical power from the machine before theybegin their work in a dangerous environment. These switches issue adisconnect signal and receive the (preferably visually displayed)verification of the power-free status,

collection and distribution units that collect and concentrateinformation from the disconnect switches or additional collection anddistribution units. For this purpose a unit of this type preferably hasa safety device with expansion modules for the transmission of thedisconnect signals. The collection and distribution units also transmitthe verification signal to the disconnect switch which has issued thedisconnect signal.

a control unit which is used as the interface between the power supplyunit and the collection and distribution units as well as to thedisconnect switches. It is also responsible for the supply of power tothe collection and distribution units and the verification message andincludes the functionality of a collection and distribution unit.Preferably a monitoring relay, which receives the message concerning thestatus of the power monitoring apparatus of the power supply unit PB, aswell as having a safety circuit which transmits the verification messageconcerning the power-free status of the power monitoring apparatus tothe disconnect switches DS, is provided, more preferably a stabilized DCpower source for the monitoring relay, the safety device in the controlunit and for the safety device in the collection and distribution units,a non-stabilized DC power source for the verification circuit, and aninsulation monitoring circuit for monitoring the insulation betweenlines which are held at the potential of the stabilized DC power sourceand lines which are held at the potential of the non-stabilized DC powersource,

a power supply unit which transmits or disconnects the power for themachine or equipment though the power connection apparatus, a powermonitoring apparatus, a control power supply source and, morepreferably, a “four-relay” safety circuit.

The control unit as well as the collection and distribution units arethe same for all forms of embodiment of the system according to theinvention in whatever machine or equipment they are used. The monitoringis done practically independently of the size of the machine since themain circuits only run in the power supply unit.

The minimal configuration of a system according to the inventionincludes the power supply unit, the control unit, and as well as atleast one disconnect switch. The maximal configuration will depend onthe number of disconnect switches required as well as on the distance ofeach collection and distribution unit as well as of each disconnectswitch from the control unit.

In normal operation all disconnect switches are closed, that is, none ofthem issues a disconnect signal. Now if it is intended to provide for areliable switch-off, the machine must first be stopped. This can, forexample, happen through the agency of software by which a stop commandis used by the machine. The operator who must work in an area will thenswitch the corresponding disconnect switch and lock it in the openposition. Thereby a disconnect signal is issued which is provided to thepower supply unit. On occurrence of the signal it will be checkedaccording to set criteria whether the output of the power supply unit ispower-free. When and only when this power-free status is activelyconfirmed will a verification display on the disconnect switch which hasthe disconnect signal light up and verify the power-free status. Onlythen may operators enter into the corresponding area of the machine. Assoon as they have finished their work, they will unlock the disconnectswitch and once again turn on the equipment. The verification displayshuts itself off.

If all the disconnect switches are switched on, the supply of power tothe machine is restored and it can be restarted via the Start command.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following the invention is to be explained with the aid of theaccompanying drawings. Shown are:

FIG. 1 an example of a configuration of a system according to thepresent invention,

FIG. 2 a schematic representation of a power supply unit PB,

FIG. 3 a schematic representation of a control unit CB,

FIG. 4 a schematic representation of a collection and distribution unitMB,

DETAILED DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a configuration of the system according to the inventionwith which a machine can be provided which can be switched off at tensites or machine parts.

Accordingly ten disconnect switches DS are provided. Of the tendisconnect switches DS a first set designated by 50 of disconnectswitches DS is conducted to a collection and distribution unit MB1. Asixth input connection of the collection and distribution unit MB1 isallocated to an additional collection and distribution unit MB2 at whichonce again outputs of disconnect switches could be placed, which howevercan also be reserved as an option. In a practical development acollection and distribution unit will have six input connectionsalthough expansions are also possible. Like the collection anddistribution unit MB1 the control unit CB has six inputs of which onceagain five, taken together designated by 52, 54, are allocated todisconnect switches DS. A sixth input receives the information from thecollection and distribution unit MB1. The collection and distributionunits as well as the control unit act as concentrators of signals whichcome from a lower level of the system. They must be disposed so that thedrop in voltage between them is minimized and the entire cable lengthwhich is required for the connections between the disconnect switchesand the power supply unit is optimized. The control unit CB also formsthe interface to the power supply unit PB. The power supply unit PB isconnected into the main circuit of the equipment or machine. Therein themain switch 10 of the main circuit is secured with a fuse 12 which is atthe input 14 of the power supply unit PB. The output 16 of the powersupply unit is connected to an additional machine switching device 18 atwhich the machine M lies. The switching device 18 serves forstaring/stopping the machine.

The FIGS. 2 to 4 are highly schematized block circuit images of theindividual components among themselves.

FIG. 2 shows in a schematic manner the internal structure of the powersupply unit PB. A so-called “four-relay” safety circuit 22, whichrepresents an expanded Emergency Stop switch-off for three phases andalternatively for three phases and a neutral line, has direct access tothe power connections apparatus 28. It is the object of the GermanPatent Application 199 15 234.0 filed in the German Patent Office onApr. 3, 1999, which is hereby incorporated herein by reference. Anotherexample for an Emergency Stop circuit arrangement is given in DE 196 41516 C1, which is hereby incorporated herein by reference. The safetycircuit 22 reacts to a dual channel disconnect signal and/or to a singlechannel signal which reports an insulation error, both signals aresupplied by the control unit CB (FIG. 3). The power supply unit PBcontains furthermore as power monitoring apparatus 20 a safety relay ofthe type PU3Z of the firm Pilz GmbH & Co. which monitors the powerstatus of the power supply output. Thereby it works as a threshold valuecircuit and recognizes a phase as power-free if the phase voltage doesnot exceed a threshold value of 10V relative to the zero line. Providedin addition is a transformer 24 with 230 volt AC power at the outputwhich supplies control power, for the components of the power supplyunit, and to the control unit CB (FIG. 3). Dual channel connections areprovided to a monitoring relay of the control unit (FIG. 3). Via thesethe information concerning the power status of the power monitoringapparatus 20 is transmitted, if a disconnect signal is also reported andadditional safety criteria are fulfilled. Auxiliary components 26 whichare necessary for the proper operation of the power supply unit are notrepresented in detail, likewise the necessary protective apparatus forthe components. Additional connections can be provided for connection tothe equipment, likewise connections for a status display as well as areset switch in the control unit CB.

FIG. 3 shows in a schematic manner the layout of a control unit. Thecontrol unit contains a monitoring relay 30 which receives the status ofthe voltage monitoring apparatus of the power supply unit (FIG. 2). Themonitoring relay 30 is, for example, of the type PNOZx2.1 and is alsodistributed by Pilz GmbH & Co. The control unit further includes astabilized DC power source 34 with 24 V for a safety device 32 andmonitoring relay 30. The control unit further includes a non-stabilizedDC power source 36 with 24 V that is controlled by the monitoring relay30 which, depending on the status of the power monitoring apparatus(FIG. 2), provides for the verification displays on the disconnectcircuits connected via the corresponding circuit 31 being lit up or not.So that an erroneous lighting up of these displays is avoided, aninsulation checking apparatus 38 is placed between the non-stabilized DCpower 24 V lines. This communicates whether the two 24 V circuits arecorrectly separated from one another, i.e., there are no isolationdefects. If an error is recognized, the restart of the SLS is disableduntil the insulation checking apparatus 38 is reset. The reset switch ofthe control unit CB will be able to reset the insulation checkingapparatus 38 only if the insulation fault has disappeared. Additionaltesting apparatuses within the control unit and for the supply lines canbe provided. The control unit has six input connections whose presentsignals are processed in the safety device 32 as in a collection anddistribution unit (FIG. 4). The result of the processing is given as adual channel disconnect signal to the four-relay safety circuit 22 (FIG.2). Conversely dual channel connections serve as connection of themonitoring relay 30 to the power monitoring apparatus of the power unit,e.g. connection power status (FIGS. 2 and 3). Two signal lamps areprovided, one which lights up if the system is ready to operate, theother if one of the disconnect switches is open. Additional connectionsfor the connection to the machine can be provided. Via an interface 33the external monitoring is possible.

FIG. 4 shows the schematic layout of a collection and distribution unit.Like the control unit it has six inputs as well as an output fordisconnect signals. A safety device 40, which, for example, can beconfigured from safety relays with expansion modules according to need,processes the disconnect signals and passes the result to the next stepof the system. Conversely the collection and distribution unit alsoprovides for the verification signals being supplied to thecorresponding disconnect circuits via circuits 42 provided thereforconnecting the corresponding disconnect signal lamp. As an examplesafety device, a relay PNOZXM1 is suitable which is provided withexpansion modules PNOZXE1, both once again by Pilz GmbH & Co. Via aninterface 44 external monitoring is possible.

Preferably by the redundant design of the system according to theinvention an increased reliability is achieved. Over the entire system atwo-channel interrogation is done, for example of the status of thedisconnect signal, in particular the “four-relay” safety circuit in thepower supply unit has a double channel input.

The characteristics of the invention disclosed in the description above,in the drawings, as well as in the claims can be material individuallyas well as in arbitrary combination for the actualization of theinvention.

What is claimed is:
 1. A system for reliable prevention of unexpectedstart-up of a machine, characterized by at least one disconnect switch(DS) which is disposed at the site of the machine (M) at which, theoutput of the power supply unit (16) is actively confirmed to be powerfree, and where the verification message is permitted to be displayedonly at each disconnect switch (DS) which issues a disconnect signal, ifthe machine power is switched off and if the output of the power supplyunit is actively confirmed to be power free, the machine power isswitched off, a power supply unit (PB) connected between the main switch(10) of the main circuit and the machine (M) where the main switch (10)is at the input of the power supply unit (14) and the output of thepower supply unit (16) is connected to the machine (M), which power unit(PB) maintains the supply of the power to the machine, operated through(28) the power connections apparatus interrupted if at least onedisconnect switch (DS) issues a disconnect signal where the powermonitoring apparatus (20) checks the power output (16) of the powersupply unit (PB) for a power-free status and which power supply unitpermits a restart of the machine (M) if and only if none of disconnectswitches (DS) is issuing a disconnect signal, a control unit (CB) with apredetermined number of inputs for disconnect switches (DS) or for acollection and distribution unit (MB), which reports the presence of adisconnect signal at one of its inputs to the power supply unit (PB) andreceives the status of the power monitoring apparatus (20) of the powersupply unit (PB) and, when the power-free status is reported, issues averification message to the disconnect switch (DS) which has suppliedthe disconnect signal; and, if the number of disconnect switches (DS) islarger than the number of inputs of the control unit (CB), at least onecollection and distribution unit (MB) having a predetermined number ofinputs for disconnect switches (DS) or for a further collection anddistribution unit (MB), wherein a disconnect signal is issued at itsoutput when a disconnect signal is supplied at least at one input. 2.System according to claim 1 characterized by the fact that the powersupply (PB) and control unit (CB) are separate components.
 3. Systemaccording to claim 1 characterized by the fact that the control unit(CB) has a monitoring relay (30) which receives the message concerningthe status of the power monitoring apparatus (20) of the power supplyunit (PB) as well as a verification display circuit (31) which transmitsthe activation message concerning the power-free status of the powermonitoring apparatus (20) to the corresponding disconnect switches (DS).4. System according to claim 3 characterized by a stabilized DC powersource (34) for the monitoring relay a non-stabilized DC power source(36) for the verification circuit and an insulation checking apparatus(38) for monitoring the insulation between lines which are maintained atthe potential of the stabilized (insulated from ground) DC power source(34) and lines which are maintained at the potential of thenon-stabilized (one line grounded) DC power source (36).
 5. Systemaccording to claim 1 characterized by the fact that the collection anddistribution unit (MB) has a safety device (40) for the transmission ofthe disconnect signals.
 6. System according to claim 1 characterized bythe fact that all the disconnect signal lines are designed asdual-channel lines and that the power monitoring apparatus (20) andverification display circuit (31, 42) as well as safety device with theexpansion modules (40) are such with redundant measurement circuitsand/or circuits.
 7. System according to claim 1 characterized by thefact each disconnect switch (DS) has a signal lamp for the display ofthe verification message.